Question

我正在使用带有JSF 2 ICEFaces 2的spring security 3 我按如下方式配置了我的应用程序：

除登录外，所有页面都受到保护（需要身份验证）。
登录页面未经过筛选，因此任何用户都可以访问它。

问题：当试图运行app时，用户被重定向到主页，但他没有登录，所以他被重定向到登录页面，页面加载正常，我在调试模式下使用spring security，所以我可以看到访问被拒绝的例外。

这是我的代码：

<beans:beans xmlns="http://www.springframework.org/schema/security"  
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
      http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security-3.0.4.xsd">


    <global-method-security pre-post-annotations="enabled" />   

    <!--  key configuration here is an entry point to be used by security intercepts -->
    <http use-expressions="true"  auto-config="false">

    <session-management session-fixation-protection="none"/>

    <remember-me  token-validity-seconds="1209600"/>

    <!-- Exclude the login page from the security check -->
    <intercept-url pattern="/faces/login.xhtml" access="permitAll"/>

    <!-- All pages requires authentication (not anonymous user) -->
    <intercept-url pattern="/faces/**" access="isAuthenticated()" />

    <intercept-url pattern="/images/**" filters="none" />
    <intercept-url pattern="/scripts/**" filters="none" />
    <intercept-url pattern="/css/**" filters="none" />  

    <!-- Returns true if the user is not anonymous -->


    <access-denied-handler error-page="/error"/>

    <form-login default-target-url="/users"  
    always-use-default-target="true"            
        login-processing-url="/j_spring_security_check"         
        login-page="/faces/login.xhtml"
        authentication-failure-url="/login?login_error=1"                                                               
    />

    <logout logout-url="/logout" logout-success-url="/login" />     
</http>

<authentication-manager alias="authenticationManager">          
<authentication-provider user-service-ref="userDetailsServiceImpl">
</authentication-provider>
</authentication-manager>


</beans:beans>

这是调试：

DEBUG [http-8080-5] (FilterChainProxy.java:202) - Candidate is: '/faces/login.xhtml'; pattern is /css/**; matched=false
DEBUG [http-8080-5] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/login.xhtml'; to: '/faces/login.xhtml'
DEBUG [http-8080-5] (FilterChainProxy.java:202) - Candidate is: '/faces/login.xhtml'; pattern is /**; matched=true
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [http-8080-5] (HttpSessionSecurityContextRepository.java:142) - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG [http-8080-5] (HttpSessionSecurityContextRepository.java:88) - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@118eb00c. A new one will be created.
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 3 of 9 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG [http-8080-5] (DefaultSavedRequest.java:336) - pathInfo: arg1=/javax.faces.resource/compat.js; arg2=/login.xhtml (property not equals)
DEBUG [http-8080-5] (HttpSessionRequestCache.java:72) - saved request doesn't match
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 6 of 9 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 7 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [http-8080-5] (AnonymousAuthenticationFilter.java:67) - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A5721C800637CFCD4F6EF9E512468F64; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [http-8080-5] (DefaultFilterInvocationSecurityMetadataSource.java:173) - Converted URL to lowercase, from: '/faces/login.xhtml'; to: '/faces/login.xhtml'
DEBUG [http-8080-5] (DefaultFilterInvocationSecurityMetadataSource.java:200) - Candidate is: '/faces/login.xhtml'; pattern is /faces/login.xhtml; matched=true
DEBUG [http-8080-5] (AbstractSecurityInterceptor.java:191) - Secure object: FilterInvocation: URL: /faces/login.xhtml; Attributes: [permitAll]
DEBUG [http-8080-5] (AbstractSecurityInterceptor.java:292) - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A5721C800637CFCD4F6EF9E512468F64; Granted Authorities: ROLE_ANONYMOUS
DEBUG [http-8080-5] (AffirmativeBased.java:53) - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@20688e91, returned: 1
DEBUG [http-8080-5] (AbstractSecurityInterceptor.java:213) - Authorization successful
DEBUG [http-8080-5] (AbstractSecurityInterceptor.java:223) - RunAsManager did not change Authentication object
DEBUG [http-8080-5] (FilterChainProxy.java:362) - /faces/login.xhtml reached end of additional filter chain; proceeding with original chain
DEBUG [http-8080-5] (ExceptionTranslationFilter.java:100) - Chain processed normally
DEBUG [http-8080-5] (HttpSessionSecurityContextRepository.java:338) - SecurityContext is empty or anonymous - context will not be stored in HttpSession. 
DEBUG [http-8080-5] (SecurityContextPersistenceFilter.java:89) - SecurityContextHolder now cleared, as request processing completed
DEBUG [http-8080-5] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/login.xhtml'; to: '/faces/login.xhtml'
DEBUG [http-8080-2] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; to: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'
DEBUG [http-8080-5] (FilterChainProxy.java:202) - Candidate is: '/faces/login.xhtml'; pattern is /images/**; matched=false
DEBUG [http-8080-3] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/javax.faces.resource/combined.css'; to: '/faces/javax.faces.resource/combined.css'
DEBUG [http-8080-5] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/login.xhtml'; to: '/faces/login.xhtml'
DEBUG [http-8080-2] (FilterChainProxy.java:202) - Candidate is: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; pattern is /images/**; matched=false
DEBUG [http-8080-5] (FilterChainProxy.java:202) - Candidate is: '/faces/login.xhtml'; pattern is /scripts/**; matched=false
DEBUG [http-8080-3] (FilterChainProxy.java:202) - Candidate is: '/faces/javax.faces.resource/combined.css'; pattern is /images/**; matched=false
DEBUG [http-8080-5] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/login.xhtml'; to: '/faces/login.xhtml'
DEBUG [http-8080-2] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; to: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'
DEBUG [http-8080-5] (FilterChainProxy.java:202) - Candidate is: '/faces/login.xhtml'; pattern is /css/**; matched=false
DEBUG [http-8080-3] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/javax.faces.resource/combined.css'; to: '/faces/javax.faces.resource/combined.css'
DEBUG [http-8080-5] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/login.xhtml'; to: '/faces/login.xhtml'
DEBUG [http-8080-2] (FilterChainProxy.java:202) - Candidate is: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; pattern is /scripts/**; matched=false
DEBUG [http-8080-5] (FilterChainProxy.java:202) - Candidate is: '/faces/login.xhtml'; pattern is /**; matched=true
DEBUG [http-8080-3] (FilterChainProxy.java:202) - Candidate is: '/faces/javax.faces.resource/combined.css'; pattern is /scripts/**; matched=false
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; to: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'
DEBUG [http-8080-5] (HttpSessionSecurityContextRepository.java:142) - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG [http-8080-3] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/javax.faces.resource/combined.css'; to: '/faces/javax.faces.resource/combined.css'
DEBUG [http-8080-5] (HttpSessionSecurityContextRepository.java:88) - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@118eb00c. A new one will be created.
DEBUG [http-8080-2] (FilterChainProxy.java:202) - Candidate is: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; pattern is /css/**; matched=false
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG [http-8080-3] (FilterChainProxy.java:202) - Candidate is: '/faces/javax.faces.resource/combined.css'; pattern is /css/**; matched=false
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 3 of 9 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; to: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG [http-8080-3] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/javax.faces.resource/combined.css'; to: '/faces/javax.faces.resource/combined.css'
DEBUG [http-8080-5] (DefaultSavedRequest.java:336) - pathInfo: arg1=/javax.faces.resource/compat.js; arg2=/login.xhtml (property not equals)
DEBUG [http-8080-2] (FilterChainProxy.java:202) - Candidate is: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; pattern is /**; matched=true
DEBUG [http-8080-5] (HttpSessionRequestCache.java:72) - saved request doesn't match
DEBUG [http-8080-3] (FilterChainProxy.java:202) - Candidate is: '/faces/javax.faces.resource/combined.css'; pattern is /**; matched=true
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 6 of 9 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 7 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:142) - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG [http-8080-5] (AnonymousAuthenticationFilter.java:67) - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A5721C800637CFCD4F6EF9E512468F64; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [http-8080-3] (HttpSessionSecurityContextRepository.java:142) - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:88) - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@118eb00c. A new one will be created.
DEBUG [http-8080-5] (DefaultFilterInvocationSecurityMetadataSource.java:173) - Converted URL to lowercase, from: '/faces/login.xhtml'; to: '/faces/login.xhtml'
DEBUG [http-8080-3] (HttpSessionSecurityContextRepository.java:88) - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@118eb00c. A new one will be created.
DEBUG [http-8080-5] (DefaultFilterInvocationSecurityMetadataSource.java:200) - Candidate is: '/faces/login.xhtml'; pattern is /faces/login.xhtml; matched=true
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG [http-8080-5] (AbstractSecurityInterceptor.java:191) - Secure object: FilterInvocation: URL: /faces/login.xhtml; Attributes: [permitAll]
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG [http-8080-5] (AbstractSecurityInterceptor.java:292) - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A5721C800637CFCD4F6EF9E512468F64; Granted Authorities: ROLE_ANONYMOUS
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 3 of 9 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG [http-8080-5] (AffirmativeBased.java:53) - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@20688e91, returned: 1
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 3 of 9 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG [http-8080-5] (AbstractSecurityInterceptor.java:213) - Authorization successful
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG [http-8080-5] (AbstractSecurityInterceptor.java:223) - RunAsManager did not change Authentication object
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:362) - /faces/login.xhtml reached end of additional filter chain; proceeding with original chain
DEBUG [http-8080-2] (DefaultSavedRequest.java:336) - pathInfo: arg1=/javax.faces.resource/compat.js; arg2=/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css (property not equals)
DEBUG [http-8080-2] (HttpSessionRequestCache.java:72) - saved request doesn't match
DEBUG [http-8080-3] (DefaultSavedRequest.java:336) - pathInfo: arg1=/javax.faces.resource/compat.js; arg2=/javax.faces.resource/combined.css (property not equals)
DEBUG [http-8080-3] (HttpSessionRequestCache.java:72) - saved request doesn't match
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 6 of 9 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 6 of 9 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 7 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 7 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [http-8080-2] (AnonymousAuthenticationFilter.java:67) - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A5721C800637CFCD4F6EF9E512468F64; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [http-8080-3] (AnonymousAuthenticationFilter.java:67) - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A5721C800637CFCD4F6EF9E512468F64; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [http-8080-2] (DefaultFilterInvocationSecurityMetadataSource.java:173) - Converted URL to lowercase, from: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; to: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [http-8080-2] (DefaultFilterInvocationSecurityMetadataSource.java:200) - Candidate is: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; pattern is /faces/login.xhtml; matched=false
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [http-8080-2] (DefaultFilterInvocationSecurityMetadataSource.java:200) - Candidate is: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; pattern is /faces/**; matched=true
DEBUG [http-8080-3] (DefaultFilterInvocationSecurityMetadataSource.java:173) - Converted URL to lowercase, from: '/faces/javax.faces.resource/combined.css'; to: '/faces/javax.faces.resource/combined.css'
DEBUG [http-8080-2] (AbstractSecurityInterceptor.java:191) - Secure object: FilterInvocation: URL: /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3; Attributes: [isAuthenticated()]
DEBUG [http-8080-3] (DefaultFilterInvocationSecurityMetadataSource.java:200) - Candidate is: '/faces/javax.faces.resource/combined.css'; pattern is /faces/login.xhtml; matched=false
DEBUG [http-8080-3] (DefaultFilterInvocationSecurityMetadataSource.java:200) - Candidate is: '/faces/javax.faces.resource/combined.css'; pattern is /faces/**; matched=true
DEBUG [http-8080-3] (AbstractSecurityInterceptor.java:191) - Secure object: FilterInvocation: URL: /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util; Attributes: [isAuthenticated()]
DEBUG [http-8080-3] (AbstractSecurityInterceptor.java:292) - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A5721C800637CFCD4F6EF9E512468F64; Granted Authorities: ROLE_ANONYMOUS
DEBUG [http-8080-3] (AffirmativeBased.java:53) - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@20688e91, returned: -1
DEBUG [http-8080-3] (ExceptionTranslationFilter.java:153) - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:112)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:291)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
    at java.lang.Thread.run(Thread.java:619)

Answer 1

您必须定义登录页面本身无需登录即可访问。

<security:intercept-url pattern="/faces/login.xhtml" access="permitAll" />

并将此行放在“全部捕获”行之前：

<intercept-url pattern="/faces/**" access="isAuthenticated()" />

参考文档说网址的匹配顺序与声明的顺序相同！

access和filter属性之间的区别 - 您需要知道Spring安全性具有完整的过滤器链，而accessDesisionFilter只是其中之一。（此完整过滤器链由<security:http auto="true">

启动

使用filters =“none”通过在Spring Security的FilterChainProxy中创建空过滤器链来操作，而access属性用于配置由命名空间配置创建的单个过滤器链中的FilterSecurityInterceptor。这两个是独立应用的，因此如果您对具有filters =“none”属性的模式的子模式具有访问限制，则访问约束将被忽略，即使它首先列出。无法对模式/ **应用filters =“none”属性，因为命名空间过滤器链使用此属性。在3.1版中，事情更灵活。您可以定义多个过滤器链，并且不再支持过滤器属性。

登录页面中拒绝获取访问权限

1 个答案: